Simple+TLS as mandatory-to-implement (RE: Issues with current authmeth draft.)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 07:25 PM 5/12/2003, Ramsay, Ron wrote:
>I don't believe you can mandate simple/TLS!

I certainly cannot mandate it.  But the IETF certainly can. 

>At the time RFC 2829 was debated, a large number on the WG wanted this. They did not get their way because of the complexity of the solution. It was argued that a password-based method would be better. I think they believed it would still be DN/password, though. 

I think clear from this discussion that some folks didn't
get what they thought they were getting.

If one takes the view that RFC 2829 intended DNs in DIGEST-MD5
user names, than RFC 2829 is serious broken.  DNs in DIGEST-MD5
is not workable.  So, it would be quite reasonable to open a
discussion on choosing a different mandatory-to-implement strong
authentication mechanism.

If one takes the view that RFC 2829 intended user name in
DIGEST-MD5 user names, then RFC 2829 just needs some clarification.
However, since significant specification and interoperability issues
exist with DIGEST-MD5, it would be reasonable here to open a
discussion on choosing a different mandatory-to-implement strong
authentication method.

At this point, I (as co-chair), consider the issue open.

Kurt